I'm not able to establish a network connection between two brokers via an
SSL transport when I turn on JAAS certificate authentication. I want to do
this with a hub & spoke architecture, where one broker is the hub, and
passively accepts network connections from spokes that use duplex
connections. I have this working without JAAS certificate authentication,
where the relevant configuration looks like this:
Broker "hub"
<broker brokerName="hub" ... >
<sslContext>
<sslContext
keyStore="file:hub.ks"
keyStorePassword="hubpassword"
trustStore="file:hub.ts"
trustStorePassword="hubpassword"
/>
</sslContext>
<transportConnectors>
<transportConnector name="openwire" uri="tcp://localhost:51001"
/>
<transportConnector name="ssl" uri="ssl://
0.0.0.0:51000?transport.needClientAuth=true" />
</transportConnectors>
</broker>
Broker "spoke"
<broker brokerName="spoke" ...>
<sslContext>
<sslContext
keyStore="file:spoke.ks"
keyStorePassword="spokepassword"
trustStore="file:spoke.ts"
trustStorePassword="spokepassword"
/>
</sslContext>
<networkConnectors>
<networkConnector
name="tohub"
uri="static:(ssl://127.0.0.1:51000)"
duplex="true"
/>
</networkConnectors>
<transportConnectors>
<transportConnector name="openwire" uri="tcp://localhost:51002"
/>
</transportConnectors>
</broker>
I now want to enable JAAS authentication, so I add this plugins section to
the hub broker (right before the closing </broker> tag):
<plugins>
<jaasCertificateAuthenticationPlugin configuration="CertLogin" />
</plugins>
When I do this, I start to get errors like this:
2010-05-20 20:32:29,350 WARN | Failed to add Connection
java.lang.SecurityException: Unable to authenticate transport without SSL
certificate.
at
org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
at
org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
at
org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:666)
at
org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:83)
at
org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:297)
at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:175)
at
org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
at
org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
at
org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
at
org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
at java.lang.Thread.run(Thread.java:619)
I suspected that this might have to do with the duplex connection, but I get
the same error when the networkConnection uses duplex="false".
Can anyone tell me what I might be doing wrong? FYI I have turned on ssl
debug and seen the SSL handshakes in the log.
Thanks,
Jim Lloyd
